The next piece of Azure AD Identity Governance is Privileged Identity Management (PIM). PIM allows you to configure “Just-in-time” access for Azure AD role groups and Azure resources to allow for temporary eligible access to privileged roles rather than permanently assigned. Users will be required to activate their rights to perform administrative tasks, and those rights can be set to expire after a set period. In addition, you can configure settings individual for each role, perform unique access reviews to govern the need for privileged assignments, and monitor the usage of each role.
With Azure AD PIM, no user should be directly granted privileged rights. All access grants should be configured and manage, by default, within PIM and as eligible. The need for permanent rights should not exists…no need to have admin rights when we sleep. You do sleep, right?
This article will provide the requirements, administrative tasks, and end user experience for Azure AD PIM.
Azure AD PIM has the following requirements and limitations:
- Azure AD Premium P2 licenses
- Roles to manage Azure AD PIM
- Global Administrator
- Privileged Identity Administrator
- All Azure AD and Azure Roles are supported. You cannot manage classic subscription administrators including
- Account Administrator
- Service Administrator
Also, I recommend having at least a single (or two for larger enterprises) break glass emergency account to prevent lockouts from your environment.
These are a few definitions to understand what Azure AD PIM is referencing:
- Just-in-time access: A method where a user receives temporary access for a specified period to perform their duties when they need to and access is automatically removed when time ends.
- Activate: Process required to enable a role.
- Eligible: A role is assigned to a user, but not enabled. The user needs to activate the role to enable it on their account
- Permanent: A role is assigned to a user and always enabled.
Let us look at what we can do with Azure AD PIM. Azure AD PIM Admin portal is in Azure AD Identity Governance page, but it also has its own Azure site. Either browse through Azure AD or search for it separately. Once on the main page, go to Manage > Azure AD roles. This will take you to our menu options under Manage. However, the first place to start out is the Overview page. Here you can get a graphical summary of the Azure AD PIM environment including:
- Role activations in the past week
- Role assignment distribution chart
- New PIM role assignments
- Assignment summary
To begin managing the roles, select Roles. This will provide you will all the available Azure AD roles (or Azure resources). From here you can click + Add assignments to select a role and add a user to it.
Or you can search or browse to the role you wish to manage. You can see current role description as well as Active and Eligible assignments.
When selecting to Update a user, you can choose to assign either Eligible or Permanent type. You also have the choice to set an end date on the assignment. Selecting Permanent type requires a justification reason to be entered.
Back on the main page, Selecting Assignments brings you to an alternative view showing each user assignment. You can perform the same tasks from this view.
On the Alerts page, you will see any active alerts regarding your Azure AD PIM setup. Selecting an alert will allow you see why the alert was triggered, how to fix it, and recommendations to prevent the alert from reoccurring.
You can configure the type of alerts to receive. There are seven built-in alerts that are configurable such as Enable/Disable, timeframes, and percentages. They vary per alert type. These alerts include:
- The organization doesn’t have Azure AD Premium P2
- Roles don’t require multi-factor authentication for activation
- Administrators aren’t using their privileged roles
- Roles are being activated too frequently
- Potential stale accounts in privileged role
- There are too many global administrators
A recent addition to Azure AD PIM is Discovery and insights. This replaced the previous Security Wizard. This page will provide you with information to help get started with Azure AD PIM or a recurring review.
You can view three crucial insights:
- Permanent Global Administrator assignments
- Highly privileged role assignments
- Service Principals with role assignments.
Selecting either one of these will allow you to either quickly make each user assignment eligible, remove assignment, or start an access review. Service Principals only have remove assignment action.
The final menu option is Settings. The options available provide tremendous granularity for each privileged role. This page shows all roles, whether they were modified, last update timestamp, and who last updated. Each role can be individually configured for a variety of options. You can configure Activation settings, such as duration, MFA requirements, and approvals. Assignment settings provide options to allow permanent or eligible assignments, expiration requirements, and MFA requirements. Finally, you can configure how notifications are sent. Each option is show below:
End User Role Activation
Users that have been granted eligible status for a role must activate that role assignment before performing any tasks. To activate a role, go to the Privileged Identity Management portal and select Tasks > My Roles. This will take you to the list of Azure AD Roles Eligible assignments. Chose Activate on the role to activate.
On the activation screen, you can select a custom activation time, Duration (up to maximum allowed), and, if required, enter a reason for activation. Once complete, click Activate.
If Azure MFA is required and you were not already prompted when signing into the Azure portal, you will be required to verify your identity via Azure MFA at this time. If an approval is required, a message will be sent to the approvers to review the request. Once approved, the role will be activated. If no approval is required, the activation will proceed immediately.
Once activated, you can see the status of your assignment in Active assignments.
Privileged Access Groups
The latest feature of Privileged Identity Management is Privileged Access Groups. This allows you to create an Azure AD security group that is enabled for Azure AD Roles to be assign to the group. With this logic, instead of assigning individual users to a privileged role, you would assign the privileged role to the group and provide the user Privileged Access membership rights. From an end user perspective, the activation process is the same. On the back end, instead of activating a role, Azure AD is adding the user to the Azure AD Security Group for the allotted time configured. That group will already have the Privileged role assigned to the group, granting the rights to the user. This allows for more granular group-based controls, just as stricter requirements via Conditional Access for certain groups.